This detection rule is designed to identify logon events using NTLM (NT LAN Manager), which might originate from either legitimate legacy systems or unauthorized access attempts by malicious actors. NTLM is an older authentication protocol that is less secure compared to more modern systems like Kerberos, making its usage a potential indicator of a security issue. The rule primarily monitors Event ID 8002 generated by the Microsoft-Windows-NTLM/Operational log. Its purpose is to provide an additional layer of monitoring for environments where the use of NTLM is not standard, thereby helping to detect lateral movement and other suspicious activities. By detecting such logons, administrators can be alerted to potentially compromised accounts or attacks propagating through less secure channels.